Risk Assessment —

Skimming costs less than ever, but a new generation of credit cards might stop it.

Building (or buying) the perfect skimmer

Skimming isn’t rocket science—you need to capture the data from the card and (for ATM skims) the user’s PIN input on the keypad. All anyone needs to get started, Krehel told Ars, can be found with a few Web searches and some YouTube videos. Innovative black-market hardware hackers are also willing to give beginners everything they need—for a price.

Before skimmers get started—unless they’re planning on having victims hand over their physical cards—they have to figure out how re-package their gear in convincing enough camouflage that cards can be inserted for a legitimate transaction without interference or suspicion. They also have to decide how they’re going to retrieve their ill-gotten data—wait patiently and collect the gear, running the risk of discovery and removal before they can return? Or will they hover nearby and collect the data in real time so that they can immediately cash in?

The answers to those questions have become increasingly diverse and sophisticated. Thanks to the propagation of skimming marketplaces, would-be payment card data thieves can find kits built for just about any popular make and model of ATM machines. The more ambitious can buy ATM repair parts—or even whole ATMs—with which to engineer their own kits, then use a 3D printer to manufacture them.

The front of a card skimmer discovered by Aaron Poffenberger found placed over the card slot of a Diebold ATM—note the notch for the reader heads.

Aaron Poffenberger

Enlarge/ The back of the same skimming device, showing the battery, card reader, and storage device

The skimmer’s gear starts with a card reader. Anyone can buy one, and they’re relatively inexpensive. You can get a basic reader, ready for hacking, from an electronics store for around five bucks or start with a complete USB-based off-the-shelf model for about $30 retail. (Interested hardware hackers can find instructions on how to build a complete card reader with an Arduino prototyping board for under $15 on Instructables.) More sophisticated readers, such as those with built-in Bluetooth connectivity, run for about 10 times that amount. Self-contained pocket card readers—the tool of choice for credit-card skimming rings like the Manhattan steakhouse operation—sell for around $200 and can store thousands of card swipes in digital form.

But real skimmers don’t need that kind of luxury. One of the most time-tested ways to batch-capture ATM data is to record the raw data—the magnetic waveform—as audio, using an MP3 player or other digital audio recorder. Audio skimmers use the same basic approach used by the card reader for the Square mobile payment app. The Square reader has a single read head positioned to pick up Track 2 of a payment card; the head sends the waveform of the track data to the phone via the audio plug’s microphone input. The software then converts the audio to binary data. (Square, incidentally, recently added encryption to its card reader to prevent it from being used as a skimming tool.) To read Tracks 1 and 2, it’s possible to wire a pair of reader heads to the left and right channels of a stereo audio input.

The same is true for remote capture—an attacker can use hacked Bluetooth headsets or even mobile phones to collect the waveform data as audio from a safe distance, then use signal processing software to convert the spikes in the waveforms into zeros and ones.

That kind of software is easily attainable if you know which online forum to visit, said Krehel. And a look at developer project boards shows that there are plenty of people who will write it for you as well. Square competitor VeriFone even published a proof-of-concept app last year that showed how easy it was to grab Track 2 data with the Square reader—before being forced to pull it, because it was perhaps a little too good of a proof-of-concept.

No matter which approach a skimmer takes to capturing the magnetic stripe data, he also has to tougher task of grabbing the PIN. The approach favored by many skimmers is equivalent to “shoulder-surfing” a password—using a concealed digital video camera to record a victim’s keyed entries on an ATM machine.

Another way to get victims’ PIN entries is to capture them directly using a keypad that overlays the ATM’s own. These overlays make contact with the ATM’s keypad, so the machine picks up the entries; at the same time, they store each keystroke in flash memory for later retrieval.

A skimming attack in California used a digital video recorder a with stereo audio input (camouflaged as the card reader cover for the ATM) to capture both video and track data.

Cashing out

Once they’ve retrieved magnetic stripe and PIN data from their gear, skimmers have an ever-expanding number of ways to turn them into cash. The most obvious way is to make a run for another ATM machine—usually one on another bank’s network, and preferably far from the first one.

Using a card writer and blank magnetic cards—similar to those used at hotel front desks to make room keys—skimmers can create a clone of an ATM card that will work just like the original, Krehel said. The same is true for credit cards, so long as they’re used somewhere where a clerk doesn’t need to look at them.

Other skimming operations go further, actually printing fake credit cards—sometimes from stolen credit card stock—using a card embossing system. For example, the ring of hackers who turned Subway franchises’ point-of-sale systems into skimmers with a remote access hack used an embossing machine to print counterfeit credit cards using the track data. (The cards had everything down to a card company logo.) They used the cards in a number of ways to turn credit into cash, including using them at French betting parlors.

The Manhattan steakhouse skimming ring did much the same thing. The 28-person organization targeted people using American Express Black cards and other high-limit credit cards, then put the skimmed credit card data from those cards onto forged credit cards.

For skimmers who don’t have the stomach (or credit card blanks) to go out and make transactions themselves, the Internet has another answer—they can sell the track data in bulk through online exchanges. A brisk trade of the binary data from skimmed cards takes place through forums and “automated vending cart” sites (just Google “track 1 and 2 dumps” to get an idea).

Enlarge/ Two cellphones concealed in an ATM panel used to capture PIN and transmit the video wirelessly to a skimmer.